Posted
by
Unknown Lamer
on Wednesday June 13, 2012 @12:09PM
from the retaliation-for-stuxnet dept.

Trailrunner7 writes, quoting Threatpost: "Researchers have identified an ongoing series of attacks, possibly emanating from China, that are targeting a number of high-profile organizations, including SCADA security companies, universities and defense contractors. The attacks are using highly customized malicious files to entice targeted users into opening them and starting the compromise. The attack campaign is using a series of hacked servers as command-and-control points and researchers say that the tactics and tools used by the attackers indicates that they may be located in China. The first evidence of the campaign was an attack on Digitalbond, a company that provides security services for ICS systems. ... In addition to the attack on Digitalbond, researchers have found that the campaign also has hit users at Carnegie Mellon University, Purdue University and the University of Rhode Island."

That is correct. 5 years ago I worked at a Defense contractor and we had a carefully crafted spear phishing attack. The hackers learned that Company "doe" did the support for IT for most of their IT. The group created a "doesupport.com" domain, and stole company logos from "doe.com". A fake site was crafted, and honestly looked pretty legit. They even had someone that knew English do the wording. The problem was, with all that work they had a username and password dialogue box on the site, and our users were warned about this type of attack every day. We had 1 user out of about 6800 log in to the site, and more than 2800 tickets from users reporting the suspected site.

The site was in the US, but traced it's roots to China. Interesting how fast this gets found out when Government is involved.

Obviously "doe" is a fictional name to protect both the contractor and support people.

I'm not sure you understand the complex nature of these attacks. These are not simply fire and forget executable files, like you see in your email constantly from script kiddies. There are few, if any, executable files involved initially. They are more after usernames, passwords, and network information. From their, they can launch more sophisticated attacks trying to gain access to network components, etc... and do more targeted phishing and attempt to send files.

My suspicion is that this is basically observation bias in action. Every public system on the internet in every country is subject to a constant barrage of low level email driven malware, these days. We only hear the reports of the universities, IT security companies, and government services, because these are the only folks with enough security consciousness and enough to lose to notice it, and who are worth writing news articles about. This doesn't mean a particular attack is targetted, or trying to accom

The China of the 50s and 60s was hardline communist (and killed ~60 million of their own people). Since that time China has experienced the Tienamen Square uprising & moved towards European-style socialism (free market capitalism + government safety nets). No longer following the same policies as the 50s/60s-era government.

Besides: It is not to their advantage to start killing their customers.

You are making a massive leap in logic. If we opened a war with North Korea for example, I think you would find that even if it did not do so openly, China would be sending in lots of troops. The regime is not the only difference between now and the Vietnam/NK war times. There is also no open war in the area, which makes probably more difference than who is currently in power.

Since we have such a closed government now, and many other countries are following the same exact tight lipped policies let me ask a few questions.

Syria, how many foreigners are involved? We simply don't know, and obviously we won't know. I think we both know that the US, China, and Russia are all involved right? Just how much and who becomes the question. Is Russia simply supplying arms? Or are they also manning gunships in "Police" action? (Just like the US does mind you)

How many Iranians are involved in the constant fights still going on in Iraq and Afghanistan? Pakistanis? Again, we don't know.

These are small conflicts at this point, the US made sure that the actual war was over very quickly. If this was a longer war, would more troops from more countries be involved? Historically the answer is a resounding "FUCK YEAH!"

The more open the conflict, the more apt there will be for people to send in soldiers. It's a simple game in politics that is universally played. Everyone want's their interests interjected on the other side. If that was not true, why would we have wars in the first place?

By all means try and justify Chinese exceptionalism. Just don't expect people to like you (personally or collectively) very much.

America has lots of friends. On the other hand, China has North Korea, Pakistan and a bunch of shitty African dictatorships only. If people are judged by the company they keep, then China is utterly, royally fucked.

Are you saying Pakistan is a "bad friend" and proof of China's shittiness? Well WE are friends with Pakistan. What's that say about us?

Americans have killed more people in the last decade than any other country. 300,000 dead and about 2 million casualties with permanent disabilities (blown off arms, jaws, legs). What does THAT say about us? Speaking strictly as an observer I'd say China, the EU, even Russia look better.

We have a saying here: if you lie down with dogs, you get up with fleas.

Maybe the Pakistanis will start shit on China's western flank, and they'll start sending in waves upon waves of the world's most vicious and bloodthirsty terrorists to start shit, like they've done in Kashmir. Maybe China needs a few thousand more involuntary organ donors.

Totally happy for China to learn that lesson the hard way. Let's see how that 'all weather friendship works out', once the super-Muslims of Pakistan work out that the

The unofficial estimate for Tibet is about half a million deaths. But since no visitors are allowed in, I guess you can easily claim that's a lie. The difference I see is that the US publicly faces the suffering it has caused, and its people are forced to consider their country's actions. While China, with its government restricting the movement of even its own citizens, and disallowing any reporting contrary to their narrative, has perpetuated a society without a sense of introspection. What this tells me

How many Chinese have been killed by other Chinese? (Google "Great Leap Forward" and "Cultural Revolution")

(Of course, you can point out that Americans kill Americans in mass numbers -- the Civil War,and, of course, the entire process of claiming the continent from the natives.. but then you can also compare Chinese civil wars and various ethnic clashes at those points in history, as well. Pick a century, and line 'em up, and see who is more brutal. (Answer: Probably no one to any meaningful degree, because we're all human, and thus, we all pretty much behave the same way over a span of time. You can always cherry-pick a decade or two where one culture was unusually peaceful, or pick a small or isolated subculture, but the longer you stretch the timescale or widen the definition of 'culture', the more it becomes obvious that we're not a peaceful species.))

About the same as the number of Americans killed by the Japanese in 1940.
Or the number of Jews killed by the Germans in 1935.
Or the number of Chinese killed by the Japanese in 1930.

A belief in racial superiority.
A belief that their finally taking their rightful place as a world power.
A resentful belief that the race had been held down due to malevolent forces (Jews, Colonialism).
A stated aim to "unify" with others of the same race (whether those others want to unify or not).

There are a few fringe groups in the west with the belief in racial superiorty. However they don't have the other beliefs.
What is the western equivalent of Wang Leehom's "Descendants of the Dragon"? - a hit song by a famous singer celebrating a particular race? What is the western equivalent of China's desire to annex Taiwan - by blood and death if necessary?

Numerous studies have shown a sizeable minority to potentially a majority of the US Right is categorically racist. It's completely mainstream to hold that the US is superior to the arab, and to the african. Notice the prevalence of the 'they are outbreeding us' argument, which outlines clearly the racial eugenics tinge to that whole belief.

Moreover, race isn't the only thing that creates aggressive jingoistic nationalism. Religion is pretty good too.

... if we aren't making our chips here, how can we ever expect to be able to secure our milatary secerets? I hate how goverment subsidies to an industry are pretty much impossible to repeal after they are created, but national security should genereally take front stage.

When we start using cyberweapons against people without constraint and then post a whole bunch of articles about how cost effective it is, other nations see that as a reason enough to use them against us. Most states cant afford enough money to build $35 million dollar fighter jets or spy satilites, but can slip some script kiddies a few bucks to send out some spam with exploits in it.

This is low level Cyber warfare and its starting to ramp up. this is like the introduction of planes in WWI. At first they waived at each other on their scouting mission. then someone brought a pistol, then a rifle. Then it was gunners and machineguns until we get the Red Baron and Fighter Aces. Next thing we know its jet Propulsions and heat Seakers, Stealth fighters launching! Make no mistake, Stuxnet was the First pistol at 1000 feet, what comes next no one can guess.

what is obvious is that Information Assutrance is no longer a support service, somewhere behind tech support and first to be cut, IA is now a front line warfighter task. Lets just hope the bean countes realize in time!

Sure we can guess, because it's just the same goddamn hacking methods. The only new thing that'll obviously change is the quality and complexity of the malicious software - like more intelligent worms/trojans/botnets/whatever. Stuxnet wasn't the first pistol, it was the first heat-seeker.

For some time, Chinese hacking has been the "landwar in Asia" tactic. Lots and lots of units in the field. When you have 30,000 longbowmen, it really doesn't matter how good their aim is, as long as they can fire quickly and in roughly the right direction a lot of people are going to be hit by arrows. Much of their hacking has been the same, sacrifice accuracy for quantity and get results.

The USA has (for quite some time now) preferred the "sniper" model. Small groups, low profile, and then someone fall

Stuxnet wasn't a virus designed to spread until it found Natanz and then attack it. That would have been noticed much earlier. Stuxnet was deployed inside the air-gapped systems of Natanz, and was only detected after it escaped containment and began to spread.

That's the sniper using a ghillie suit and flash suppression, hiding in a marsh. Sounds like the USA's m.o.

You can rest assured that Three Letter Agencies have that aspect covered (and of course the important shit has its own internets). A power cutoff device to drop all outside connectivity for-damn-sure is pretty normal in such datacenters.

Local governments, however, are a different story. If these attacks go from information collecting to causing mayhem, the first attack will get quite ugly. The somone will sell a buttload of remove power cutoff boxes, and that threat will end (well, except for the inevitab

The most recent theory is the Natanz system was most likely infected on the non-Internet side of the facility by software planted an agent. The Internet cable was not plugged in until long after the damage was done.

There was no simple defense, no easy prevention when the attackers are the IDF and you've both announced "death to Israel" and are enriching uranium.

FTFS: "Researchers have identified an ongoing series of attacks, possibly emanating from China, that are targeting a number of high-profile organizations, including SCADA security companies, universities and defense contractors."

While Willie Sutton never actually said "that's where the money is" when it came to robbing banks, the truth in general about that statement couldn't be more apropos regarding this situation.

If you are a defense contractor doing IT and you're clicking on random.exe files in your email, you may want to consider another line of work. I mean, to be honest, your users shouldn't even be able to run them, or send them over the company e-mail network.

That's why we have administrator-level access and ultra-restrictive GPOs in the first place, right? In the hopes that the few people who can actually do damage to computers and servers aren't monkeys banging away in the hopes of producing Shakespeare?

As a final note, I would like to point out that ending my post with a question mark makes it seem more poingant and totally deserving a five. Except I spoiled it. Crap.

...that it is NOT *.exe attachments. These days are long over. Attackers use PDF or MS Office documents attached to emails. So you are Wally Blacksmith of Killcorp Inc. Your job entails developing novel radar systems. One nice, sunny morning you get a nicely worded email about "Innovations in low-observable Radar" and it writes about a conference in Napes, Italy. The sender appears to be james.smith@britishradar.com. So you can't wait to see that the brits are up to an you click on that PDF. Acrobat Reader

"The attack begins with a spear phishing email sent to employees of the targeted company and containing a PDF attachment. In Digitlbond's case, the file is called "Leveraging_Ethernet_Card_Vulnerabilities_in_Field_Devices.pdf.exe" and when it's opened, the file installs a Trojan downloader called spoolsvr.exe."

If you are running an unsolicited attachment called blah.pdf.exe and ignoring the windows authorisation message that pops up, then why the hell are you providing IT secu

If "cyberwar" was actually a real threat they cared about, they would shift to Linux and thin-client desktops forthwith. Hell, they could get more government money for doing so. "It's for security!" That they are not doing so shows that this is not a real threat, but trumped-up nonsense to try to look like there's a problem. Which they need more money to deal with.

"Researchers have identified an ongoing series of attacks, possibly emanating from China, that are targeting a number of high-profile organizations, including SCADA security companies

Just who in their right minds connects a SCADA unit directly to the Internet. Lets have a contest too see how long someone can write about Internet security without once mentioning Microsoft Windows.

"In Digitlbond's case, the file is called "Leveraging_Ethernet_Card_Vulnerabilities_in_Field_Devices.pdf.exe" and when it's opened, the file installs a Trojan downloader [threatpost.com] called spoolsvr.exe"

And the sad thing is that due to incompetence and/or greed, the DoD not only permits Windows on its networks, it actually ENCOURAGES it. Many of the security reqs are written such that only Windows can really do all them(basically they throw in some pointless shit that only windows does but doesnt offer any security and call it a major issue). The PLA really should write Redmond a thank you letter for writing such shitty software then lobbying the hell out of the people in power to get it installed everyw

Before I am going to elaborate, yes - technology will be only part of the fix. But technology will be a major part of better security !
Here is my list of security technologies:

Sandboxing:Google Chrome's Sandbox is an excellent example of how to limit damage from faulty code. Much more could be done by using this approach in many other file formats and use cases. Other interesting approaches are AppArmor, SE Linux and Linux Security Modules in general.

made it to ppl who know one thing about trojans and security.
I love how he explains that "Leveraging_Ethernet_Card_Vulnerabilities_in_Field_Devices.pdf.exe" installs spoolsvr.exe... this email would not even make it to someones mailbox and if the email makes it and that someone is a "programmer" or "security expert" and did not
understand that this is most probably a trojan then.... f*c|$
"Attacks Targeting US Defense Contractors and Universities Tied to China" is a really bad title